[PATCH] ima: Don't modify file descriptor mode on the fly
Mimi Zohar
zohar at linux.ibm.com
Mon Nov 30 17:10:59 UTC 2020
On Thu, 2020-11-26 at 11:34 +0100, Roberto Sassu wrote:
> Commit a408e4a86b36b ("ima: open a new file instance if no read
> permissions") already introduced a second open to measure a file when the
> original file descriptor does not allow it. However, it didn't remove the
> existing method of changing the mode of the original file descriptor, which
> is still necessary if the current process does not have enough privileges
> to open a new one.
>
> Changing the mode isn't really an option, as the filesystem might need to
> do preliminary steps to make the read possible. Thus, this patch removes
> the code and keeps the second open as the only option to measure a file
> when it is unreadable with the original file descriptor.
>
> Cc: <stable at vger.kernel.org> # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode
> Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension")
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
Thanks, Roberto, Christoph. The patch is now queued in next-integrity.
Mimi
More information about the Linux-security-module-archive
mailing list